we marked "Assertions Signed" in OpenAM configuration,
and if the SAML response coming from IDP is signed and the SAML assertion is not signed, will OpenAM consider this SAML response as a valid SAMLResponse?
note : openam version 13.0.0
2 Answers
0
votes
Ever since OPENAM-7055 has been implemented, AM will consider a signed SAML response as if the assertion itself was signed. The JIRA issue has fix version set to 13.0.0, so this behaviour should be already correct in that version.
0
votes
if the SAML response coming from IDP is signed and the SAML assertion is not signed, will OpenAM consider this SAML response as a valid SAMLResponse?
No, as SAML response signing is different from Assertion signing.
Side note: Assertion signing can be negotiated via attributes in the SAML meta data. SAML response signing has to be negotiated out-of-band as the SAML meta data specification has not defined an attribute for it.
